In only eight days, Tenable helped the bank deploy a Tenable.sc™ server, with a custom audit solution created by its engineers. Subsequently, the audit resulted in a perfect score, as well as the confidence that it was the solution the bank was looking for. In addition, Nessus® delivers scanning and audit capabilities that simplify and facilitate audits.

founded

1993

branches

12

Financial organizations are on the forefront of cybersecurity, being trusted with sensitive data while also being attractive targets for attackers. Catskill Hudson Bank made it a top priority to build one of the most secure networks in the industry. Their goals included:

Flawless compliance audits

Trustworthy vulnerability scanning

Stable, repeatable operations

Customized and easy-to-understand reporting

About the Catskill Hudson Bank

Catskill Hudson is a community bank with a world class vision. Founded in 1993, Catskill Hudson has evolved into a technology-focused financial institution serving their business and consumer customers to help them thrive and grow. Headquartered in Kingston, New York, the bank serves the Catskills, the Hudson Valley, and the Capital District. The bank is subject to regulatory examinations from the Federal Deposit Insurance Corporation (FDIC) and New York State Department of Financial Services (NYSDFS), along with adherence to regulations and standards from the Federal Financial Institutions Examinations Council (FFIEC), Gramm-Leach Bliley Act or the Financial Modernization Act of 1999 (GLBA), and the Payment Card Industry Data Security Standard (PCI DSS).

The Problem

Ted Tomita, Senior Vice President and Chief Technology Officer, has a goal of “building the most advanced banking network on the planet.” He teamed up with Time Warner Cable Business Class to build a unique, state of the art network that is fast, resilient, redundant and secure. And when it came to securing his network attached devices and applications, Tomita needed a partner who could provide the highest level of vulnerability protection, reliable compliance auditing, and customizable reporting. The financial industry is on the forefront of cybersecurity, dealing with multiple compliance requirements, breach and hacking threats, spear phishing, and social engineering attacks. Tomita explains, “We store a lot of very sensitive data that we can’t allow to leak out; we need an extremely secure network like no other.”

The Tenable Solution

In 2015, Tomita faced a difficult situation. Using previously purchased third party security software, he and his staff of four security professionals were running compliance testing for a stringent GLBA audit but were noticing false positives in the report that would nullify their results. Under a tight compliance deadline, Tomita contacted Tenable for assistance. In just eight days, Tenable set up Catskill Hudson with a Tenable.sc™ server, running a GLBA solution created by Tenable engineers and providing clean reports. Their GLBA audit resulted in flawless scores, thanks to Tenable.sc. That trial convinced Tomita that Tenable was the security company he wanted to partner with.

Tenable has since addressed three major issues for Catskill Hudson:

Gamifying vulnerability scanning and patch management to improve team performance

Vulnerability management and patching are cornerstones of any good security program. The Catskill Hudson security analysts are compulsive scanners, scanning something nearly every minute of each day – tools, devices, software, applications. In fact, to motivate his team to improve network security, Tomita created a game of vulnerability management. He challenged his staff to find and fix as many vulnerabilities as possible, earning points for every vulnerability they remediated. For a year, the security analysts checked the nightly scans, patched during the day, and reran the scans to validate their fixes. Each morning, as the vulnerability score dropped, Tomita tallied up the points and recognized their accomplishments. Tenable.sc was easy to use and the team was very excited about the challenge.

“Tenable.sc has become the voice of truth for our network, providing an additional layer of insight to hold ourselves accountable and to validate the success of our security program to
our board of directors.”

When Catskill Hudson started regular scanning and patching, Tomita noticed a major discrepancy. “Our other patch management tools would tell us that the network was fine and that we were fully patched, but Tenable.sc would tell us that we were missing a patch. Invariably, when we researched the issue, Tenable.sc was right – it became the voice of truth for our network,” explained Tomita. And when Catskill Hudson systems were audited, the auditors were impressed that they were using Nessus® and Tenable.sc, providing validation and insight that the auditors trusted.

Compliance auditing with confidence

Catskill Hudson must comply with multiple requirements from PCI, FFIEC, GLBA, FDIC, and NYSDFS. The Tenable.sc dashboards and Nessus audits make compliance audits routine. With so many requirements, Tomita sets up scans to address the most stringent regulations driven by the interagency standards from the FFIEC. Resolving an issue for FFIEC standards often also resolves a PCI issue. So they scan against the FFIEC requirements to guarantee compliance at all levels.

Catskill Hudson uses a third party PCI Approved Scanning Vendor (ASV) for their annual PCI compliance validation assessment. But since waiting up to a year for their vendor to reveal potential problems is a bad practice, they do their own PCI scans monthly to find any PII (personally identifiable information) issues that should be addressed immediately. By running Tenable’s policy audits on a monthly basis, there are no surprises when the auditors come in for the annual assessment. Catskill Hudson routinely receives off-the-chart scores on the official validation tests.

Easily customized reports

As with most banks, Catskill Hudson has numerous in-house reporting requirements for the Board of Directors, executive leadership and the IT steering committee. Each group receives a different report with details relevant to their business needs. “Tenable.sc makes reporting a lot easier,” says Kevin S. McLaren, Executive Vice President and Chief Operating Officer. In fact, all the reports that Catskill Hudson uses are Tenable reports because “they’re a lot easier to read than the reports from our other security tools.” The team creates custom reports that include components from different Tenable dashboards and reports. And visual presentation is just as important; the Tenable.sc reports are perfect for presenting technical information to a non-technical audience, in that audience’s own business language.

The Results

Tomita characterizes Tenable.sc as “the voice of truth for our network, providing an additional layer of insight to hold ourselves accountable and to validate the success of our security program to our board of directors.”

Several key advantages that Tenable brings to Catskill Hudson include:

Stability – Tenable.sc has been very reliable for Catskill Hudson. “When you run an 8 hour scan, you don’t want it to fail after 7 hours. The stability of Tenable.sc is unparalleled.”

Support – From pre-sales demonstrations, through trials, to ongoing customer support, Tenable is with a customer every step of the way. Technical support is just a phone call or message away.

Sales professionals – Tenable sales professionals are knowledgeable and responsive, understanding Tenable products as well as customer business needs.

Next Steps

This year, Catskill Hudson plans to move up to Tenable.sc Continuous View™ as a comprehensive security solution, including log correlation, event management and continuous monitoring for a “live view” of their security posture at any given moment.

Tomita summarizes his thoughts: “I set the bar extremely high and Tenable helped us achieve our goal of building one of the most advanced networks in the banking industry.”

Global

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

Thank You

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

Thank You

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Thank You

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

Learn More about Industrial Security

Try Tenable.io free for 60 days. Protect your organization from WannaCry, NotPetya and other ransomware cyberattacks. Get Started

The cookie settings on this website are set to 'allow all cookies' to give you the very best website experience. If you continue without changing these settings, you consent to this - but if you want, you can opt out of all cookies by clicking below.